Update our ECR publish so that we can gc

[dwwoelfel]

Changes our ECR publishing so that we can set up lifecycle rules to delete old containers.

Two changes to how we publish:

1. Use a separate repo for the build cache. This lets us more easily expire the build cache images without worrying about accidentally removing images we care about.
2. Tag the latest image with a prod tag, so that we definitely don't delete the version we rely on in prod

Then the other change is to add a lifecycle rule that will expire old images. I put that in the config/ecr/README.md file.

After merging this in, I'll add the lifecycle rules for the ecr repo and preview what it deletes to confirm we're not deleting stuff we need.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: ffd3f833-fad4-45c2-a435-c70a97233486

📥 Commits

Reviewing files that changed from the base of the PR and between c087b04 and 1f409cc.

📒 Files selected for processing (1)

• server/config/ecr/README.md

✅ Files skipped from review due to trivial changes (1)

• server/config/ecr/README.md

---

📝 Walkthrough

Walkthrough

Updates publish-image workflow to determine deploy target from commit messages and push images with both commit-SHA and deploy-target tags using a build-cache repo; updates Elastic Beanstalk environment name; adds ECR lifecycle policy documentation for retention and cache expiry.

Changes

Deployment Infrastructure and Lifecycle Management

Layer / File(s)	Summary
Deployment target logic and image tagging .github/workflows/clojure.yml, server/.elasticbeanstalk/config.yml	Workflow adds a step to determine deployment target from commit message ([staging] sets staging, otherwise prod), passes DEPLOY_TARGET to Docker build, publishes images with both commit-SHA and target tags, and switches build cache to instant-prod-ecr-buildcache:cache. Elastic Beanstalk default environment updated to Instant-docker-prod-env-2.
ECR lifecycle policy documentation server/config/ecr/README.md	Documents lifecycle policies for instant-prod-ecr (preserve prod/staging tags indefinitely; expire other tagged images after 90 days; expire untagged/orphaned images after 7 days) and instant-prod-ecr-buildcache (expire all images after 30 days). Includes UI and CLI apply/preview commands.

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Update our ECR publish so that we can gc' is related to the main objective of enabling garbage collection of old ECR images, though the abbreviation 'gc' is somewhat informal.
Description check	✅ Passed	The description clearly explains the changes made and their rationale: separating the build cache into a new repo, adding a prod tag for protection, and adding lifecycle rule documentation.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch erc-lifecycle

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

server/config/ecr/README.md (2)

98-113: ⚡ Quick win

Consider storing policies in separate JSON files.

The current approach requires manually copying and pasting JSON from the README, which is error-prone. Consider creating instant-prod-ecr-policy.json and instant-prod-ecr-buildcache-policy.json files, then reference them directly:

♻️ Proposed improvement

Create server/config/ecr/instant-prod-ecr-policy.json:

{
  "rules": [
    { ... policy from lines 24-61 ... }
  ]
}

Create server/config/ecr/instant-prod-ecr-buildcache-policy.json:

{
  "rules": [
    { ... policy from lines 72-85 ... }
  ]
}

Update CLI commands:

-aws --region us-east-1 ecr put-lifecycle-policy \
-  --repository-name instant-prod-ecr \
-  --lifecycle-policy-text "$(jq -c '.' <<'JSON'
-<paste the instant-prod-ecr policy JSON above>
-JSON
-)"
+aws --region us-east-1 ecr put-lifecycle-policy \
+  --repository-name instant-prod-ecr \
+  --lifecycle-policy-text "$(jq -c '.' server/config/ecr/instant-prod-ecr-policy.json)"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@server/config/ecr/README.md` around lines 98 - 113, Move the inline heredoc
JSON into separate files and update the README commands to reference them:
create server/config/ecr/instant-prod-ecr-policy.json and
server/config/ecr/instant-prod-ecr-buildcache-policy.json containing the
respective lifecycle policy objects (the rules shown in the README), then
replace the heredoc usage in the README with aws ecr put-lifecycle-policy
--repository-name instant-prod-ecr --lifecycle-policy-text
file://server/config/ecr/instant-prod-ecr-policy.json and the analogous command
for instant-prod-ecr-buildcache so the CLI reads the JSON files directly.

---

23-36: 💤 Low value

Consider documenting the countNumber workaround.

The countNumber: 9999 combined with imageCountMoreThan is a workaround to keep images indefinitely (they'll only expire if count exceeds 9999, which won't happen). While this works correctly, consider adding a comment explaining that ECR doesn't support a native "never expire" rule.

📝 Suggested clarification

     {
       "rulePriority": 1,
-      "description": "Keep the moving prod and staging tags forever",
+      "description": "Keep the moving prod and staging tags forever (countNumber > 9999 = never expire)",
       "selection": {

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@server/config/ecr/README.md` around lines 23 - 36, Add a short explanatory
note to the README near the ECR lifecycle rule example clarifying that using
"countType": "imageCountMoreThan" with "countNumber": 9999 (as shown in the rule
containing tagPatternList ["prod","staging"]) is an intentional workaround to
effectively never expire those tags because ECR has no native "never expire"
setting; mention that the high countNumber prevents accidental expiration and
note this is intentional behavior to preserve moving tags like prod and staging.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/clojure.yml:
- Around line 361-371: The publish-eb job/step is not using the DEPLOY_TARGET
tag set during the Docker build, so Elastic Beanstalk always deploys the same
environment; update the publish-eb step (the GitHub Actions step named
"publish-eb") to read the DEPLOY_TARGET environment variable (same name used in
the Build step) and map it to the correct EB environment name (e.g., use a
conditional or lookup to choose "Instant-docker-prod-env" vs your staging env)
before calling the EB deploy command, or explicitly inject DEPLOY_TARGET into
the EB CLI/API call so the deployment target changes with the tag; ensure the
step uses the same env var name and update any hardcoded env names in the
publish-eb step accordingly.

---

Nitpick comments:
In `@server/config/ecr/README.md`:
- Around line 98-113: Move the inline heredoc JSON into separate files and
update the README commands to reference them: create
server/config/ecr/instant-prod-ecr-policy.json and
server/config/ecr/instant-prod-ecr-buildcache-policy.json containing the
respective lifecycle policy objects (the rules shown in the README), then
replace the heredoc usage in the README with aws ecr put-lifecycle-policy
--repository-name instant-prod-ecr --lifecycle-policy-text
file://server/config/ecr/instant-prod-ecr-policy.json and the analogous command
for instant-prod-ecr-buildcache so the CLI reads the JSON files directly.
- Around line 23-36: Add a short explanatory note to the README near the ECR
lifecycle rule example clarifying that using "countType": "imageCountMoreThan"
with "countNumber": 9999 (as shown in the rule containing tagPatternList
["prod","staging"]) is an intentional workaround to effectively never expire
those tags because ECR has no native "never expire" setting; mention that the
high countNumber prevents accidental expiration and note this is intentional
behavior to preserve moving tags like prod and staging.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: ad42f737-2722-4c78-9b99-5f401ab069c2

📥 Commits

Reviewing files that changed from the base of the PR and between 807eb69 and 3ea6bc3.

📒 Files selected for processing (3)

• .github/workflows/clojure.yml
• server/.elasticbeanstalk/config.yml
• server/config/ecr/README.md

[nezaj]

LGTM but one question